If init is wedged, then the write will never succeed and reboot won't
happen.
Also, in case of normal reboot, move call to PersistRebootReason to the
top of DoReboot() function, to make sure we persist it even if /data is
not mounted.
Test: builds
Test: adb shell svc power reboot userspace
Test: atest CtsUserspaceRebootHostSideTestCases
Bug: 148767783
Change-Id: I4ae40e1f6fdc41cc0bcae57020fa3d3385dda1b4
Merged-In: I4ae40e1f6fdc41cc0bcae57020fa3d3385dda1b4
If init is wedged, then the write will never succeed and reboot won't
happen.
Also, in case of normal reboot, move call to PersistRebootReason to the
top of DoReboot() function, to make sure we persist it even if /data is
not mounted.
Test: builds
Test: adb shell svc power reboot userspace
Test: atest CtsUserspaceRebootHostSideTestCases
Bug: 148767783
Change-Id: I4ae40e1f6fdc41cc0bcae57020fa3d3385dda1b4
The new exported DSU status removes the need to make blocking binder
calls out of system server during device boot.
Bug: 149790245
Bug: 149716497
Test: adb shell am start-activity \
-n com.android.dynsystem/com.android.dynsystem.VerificationActivity \
-a android.os.image.action.START_INSTALL \
-d file:///storage/emulated/0/Download/system.raw.gz \
--el KEY_SYSTEM_SIZE $(du -b system.raw|cut -f1) \
--el KEY_USERDATA_SIZE 8589934592
Change-Id: I27fae316214498407a73474ca8b93aec3518e4b5
Prevent appending ",adb" to persist.sys.usb.config if "none" is
explicitly defined in default prop.
Bug: 150130503
Test: persist.sys.usb.config initalized correctly
Change-Id: I3b5de6fd102e252019e843f39f0875f5aaea7486
Merged-In: I3b5de6fd102e252019e843f39f0875f5aaea7486
Prevent appending ",adb" to persist.sys.usb.config if "none" is
explicitly defined in default prop.
Bug: 150130503
Test: persist.sys.usb.config initalized correctly
Change-Id: I3b5de6fd102e252019e843f39f0875f5aaea7486
adb remount and snapshot-based updates use ImageManager in first-stage
init. This creates status files, which need to be labelled.
Bug: 148834619
Test: manual test
Change-Id: I72949fca2889f9e5612049844a78bf9355b48797
A previous change moved property_service into its own thread, since
there was otherwise a deadlock whenever a process called by init would
try to set a property. This new thread, however, would send a message
via a blocking socket to init for each property that it received,
since init may need to take action depending on which property it is.
Unfortunately, this means that the deadlock is still possible, the
only difference is the socket's buffer must be filled before init deadlocks.
There are possible partial solutions here: the socket's buffer may be
increased or property_service may only send messages for the
properties that init will take action on, however all of these
solutions still lead to eventual deadlock. The only complete solution
is to handle these messages asynchronously.
This change, therefore, adds the following:
1) A lock for instructing init to reboot
2) A lock for waiting on properties
3) A lock for queueing new properties
4) A lock for any actions with ServiceList or any Services, enforced
through thread annotations, particularly since this code was not
designed with the intention of being multi-threaded.
Bug: 146877356
Bug: 148236233
Test: boot
Test: kill hwservicemanager without deadlock
Change-Id: I84108e54217866205a48c45e8b59355012c32ea8
Users of libinit_test_utils must include all libraries that it uses.
If it uses libinit, then there is a large number of libraries that
must be included. To avoid this, make libinit_test_utils only use
init_common_sources and the small number of required libraries that go
along with those sources. Additionally, expose these sources as a
default for users of libinit_test_utils.
Test: build
Change-Id: I224fa7e0590d073e4cd40412b5dcb6f72a64b6bf
Helps with support of recovery and rollback boot reason history, by
also using /metadata/bootstat/persist.sys.boot.reason to file the
reboot reason.
Test: manual
Bug: 129007837
Change-Id: Id1d21c404067414847bef14a0c43f70cafe1a3e2
Those keys will be used for key revocation check by DSU installation
service. Note that failing to copy those keys to /metadata is NOT fatal,
because it is auxiliary to perform public key matching prior to booting
into DSU images on next boot. The actual key matching will still be done
on next DSU boot.
Bug: 146910547
Test: boot device, checks the avb keys are copied to /metadata/gsi/dsu/avb/.
Change-Id: I25a4eba82e84288bac7a859205c920628a063651
These can be AIDL or HIDL interfaces. Avoiding assuming the format here.
Bug: 141008902
Test: vts_ibase_test
Change-Id: If60367e3a46c74a1d28548379655f5e211f58b73
Instead they will be logged from system_server. This CL just prepares
grounds for logging CL to land.
Test: adb reboot userspace
Bug: 148767783
Change-Id: Ie9482ef735344ecfb0de8a37785d314a3c0417ff
fmtlib provides compile time checking of format strings that we're not
currently using. This change makes Errorf() and ErrnoErrorf() into
macros such that we can take advantage of this capability.
Test: build successfully normally
Test: fail the build if using an invalid format string
Change-Id: Icb8ba8cb973bbd1fa4755a62e7598bdbb0113757
Avb keys used to verify a partition are stored in the first-stage
ramdisk. However, after /system is mounted, init will chroot into it.
This makes those keys inaccessible for later mounts, e.g., /vendor or
/product.
This change retains avb keys by reading all of them before chroot
into /system.
Note that it is intentional to perform public matching for both
preload_avb_key_blobs and fstab_entry.avb_keys in libfs_avb.
As some keys might only be availble before init chroots into /system,
e.g., /avb/key1 in the first-stage ramdisk, while other keys might
only be available after the chroot, e.g., /system/etc/avb/key2.
Bug: 147585411
Test: specify avb_keys for a partition and checks the keys are preloaded
Test: atest libfs_avb_test
Test: atest libfs_avb_internal_test
Change-Id: I6bd490c4215480db2937cdfc3fea0d616e224a91
These operators were included because they're present in the draft
standard proposal of std::expected, but they were deemed to lead to
bugs, particularly when T is implicitly convertible to bool.
Change-Id: Ib149decf1f230198f358dc1ae0eaed71961363f6
Test: m
We currently do not handle process actions (restarting services or
exiting timedout services) when we are waiting for an exec service,
but this seems to be the wrong behavior. Particularly, an exec
service may depend on a previously started service and if that service
crashes, we will deadlock unless init restarts it.
Bug: 146920034
Test: build, boot
Change-Id: Id2fc936b8a7b989862ba4c32c398a544941e0e76
Currently, this is only enabled for Virtual A/B devices. When /data uses
F2FS, then proper pinning support must be enabled.
Because /data cannot be mounted in recovery, we can't delete the scratch
image backed by /data while in fastbootd. Instead, we mark it as
disabled in /metadata. The remount command now has an init script that
checks for and removes a disabled scratch partition.
Bug: 134949511
Test: adb remount on V A/B device with patched F2FS
Change-Id: Ifc8720378259654472d3822e97059b6c366f601d
Also reset some more properties to make bootanimation work properly.
Test: adb reboot userspace
Bug: 148172262
Change-Id: I0154d4fe9377c019150f5b1a709c406925db584d
mkdir always returns -1 for any types of errors.
errno should be checked for actual error type.
Test: m
Change-Id: I1b56d48ba48992a2f9629dc09d795c277b5b774d
This gives search (x) permission on the parent apex data
directory /data/misc/apexdata so that directories below it
may be opened. It also gives that permission on the apex
data directories themselves.
Bug: 147848983
Test: Build & flash, check perms are correct
Change-Id: I27c4ea01602002c89d0771a144265e3879d9041a
Historically, the syscall was controlled by a system-wide
perf_event_paranoid sysctl, which is not flexible enough to allow only
specific processes to use the syscall. However, SELinux support for the
syscall has been upstreamed recently[1] (and is being backported to
Android R release common kernels).
[1] da97e18458
As the presence of these hooks is not guaranteed on all Android R
platforms (since we support upgrades while keeping an older kernel), we
need to test for the feature dynamically. The LSM hooks themselves have
no way of being detected directly, so we instead test for their effects,
so we perform several syscalls, and look for a specific success/failure
combination, corresponding to the platform's SELinux policy.
If hooks are detected, perf_event_paranoid is set to -1 (unrestricted),
as the SELinux policy is then sufficient to control access.
This is done within init for several reasons:
* CAP_SYS_ADMIN side-steps perf_event_paranoid, so the tests can be done
if non-root users aren't allowed to use the syscall (the default).
* init is already the setter of the paranoid value (see init.rc), which
is also a privileged operation.
* the test itself is simple (couple of syscalls), so having a dedicated
test binary/domain felt excessive.
I decided to go through a new sysprop (set by a builtin test in
second-stage init), and keeping the actuation in init.rc. We can change
it to an immediate write to the paranoid value if a use-case comes up
that requires the decision to be made earlier in the init sequence.
Bug: 137092007
Change-Id: Ib13a31fee896f17a28910d993df57168a83a4b3d
In case one of the cryptfs calls to vdc fails, first try a normal
reboot.
Test: manual
Bug: 135984674
Bug: 143970043
Change-Id: I5706d9cd6c3a08fa06329ffb7d141de632620e3d
Scoped storage has some unique requirements that are hard to implement
with the two mount namespaces, because the daemon that does the mounting
(vold) lives in a different namespace than the processes using those
mounts.
In particular, /mnt/installer is a special bind mount that should
receive mount events under /mnt/user, but at the same time only
only propagate mount events under /mnt/installer to /mnt/installer in
the other namespace. More details in the code.
Bug: 134706060
Test: /mnt/installer shows up and is setup correctly.
Change-Id: I6dab5ace5a345d9d684a9f1ae94c833fc294d49e
* Open the ImageManager according to the saved DSU slot.
* Load the saved install_dir when it presents. This is required
when installing to an external storage and the current code
seems to break it.
* Remove an unnecessary C++ using.
Test: gsi_tool install
Bug: 144247097
Change-Id: I5b7be25787f235518a25abacefa612c33861f6ef
While handling the fatal signals and abort, exits from the signal
handler to panic the system if "androidboot.init_fatal_panic" in cmdline
is configured as "true".
Bug: 146818493
Change-Id: I59fffb7598ce981383ae24961a97fd2fd8e8d64e
Commit Ida1a6da988c10d364b3ccdaa6c5d63e5264d1b27 allows specifying
AVB-related partitions to be probed in first-state mount, e.g.,
"avb=vbmeta_system" in the fs_mgr_flags will make init wait uevents
for vbmeta_system partition, which is required for AVB verification.
However, when specifying "avb=dtbo" to chain a /dtbo partition, first-stage
init will emit the following error as it assumes all partitions are
verified by Hashtree descriptors.
init: [libfs_avb]Hashtree descriptor not found: dtbo
This change fixes this by skipping raw partitions for first-stage mounting,
where raw partitions should already be verified by bootloader with Hash
descriptors. Although first-stage init does not perform Hash verification,
it still reads all Hash/Hashtree descriptors to calculate then compare
the "VBMeta Digest" passed from bootloader.
https://android.googlesource.com/platform/external/avb/#The-VBMeta-Digest
The following is an example of a fstab entry to chain /dtbo partition:
/dev/block/bootdevice/by-name/dtbo /dtbo emmc defaults slotselect,avb=dtbo,first_stage_mount
Bug: 146935233
Test: enable /dtbo as a chain partition, then boot the device
Change-Id: I590f1d9b78ef89b5aef21cb7bf19fdb90b27f808
Marks this CTS test module as supporting secondary_user, meaning that
the tests are eligible to be run from a regular Android user other
than the system user (i.e. other than user 0).
Note that 'user' here refers to the concept of users in Android
Multiuser; it is NOT the same as a uid.
Bug: 141773058
Test: module passed with secondary_user params
(--enable-optional-parameterization --module-parameter secondary_user)
Change-Id: Ic8d29cabe2542d75c8f873b677550db9f11b3050
The apex data directories must be accessed by apexd in order for it to
perform snapshot and restore as part of the rollback process. As apexd
runs as root, this CL changes the apex data directories under /data/misc
to be owned by root.
Bug: 141148175
Test: Build and flash; check permissions are set correctly.
Change-Id: Ib534e705802c06900884a15f39fee257d4987f4c
When BCB (bootloader message structure inside of misc partition) is
malformed (contains some non-printable characters in its fields),
"reboot recovery" command won't be able to write required string to
"command" field. It can happen for example when partition table was
created anew and 'misc' partition area contains some garbage. Also this
behavior can be emulated with this command:
$ fastboot erase misc
which leads to 'misc' partition to be filled with 0xFF characters. Hence
this code:
if (boot.command[0] == '\0') {
won't let us to set new string to "command" field. Let's check if
"command" field is malformed and fix it, before actually checking for
previously set content.
"fastboot erase" shouldn't be used for testing purposes though, as it
doesn't work sometimes due to alignment, on bootloader side:
Erasing blocks 6144 to 6144 due to alignment
........ erased 0 bytes from 'misc'
Instead one might use "dd" command to fill 'misc' with 0xFF's:
$ dd if=/dev/zero ibs=2k count=1 | tr "\000" "\377" >misc.img
$ fastboot flash misc misc.img
Test: Fill 'misc' partition with 0xFF's, then do "adb reboot recovery"
Change-Id: Ica8ca31012b9b2249645e7305830c07a20dd013c
Signed-off-by: Sam Protsenko <semen.protsenko@linaro.org>
Current linkerconfig targets for specific output file. However,
linkerconfig will generate more than 1 file based on APEX modules, so it
should take argument for target directory rather than target file. This
change updates linkerconfig's argument to point output directory.
Bug: 146993126
Test: m -j passed & Cuttlefish succeeded to boot
Change-Id: I3a720a047077688582436aabd307adafeafc5398
Since I was there, added two more properties to reset, and switched
ordering of sys.init.updatable_crashing and
sys.init.updatable_crashing_process_name setprops to make sure that
process name is already set when apexd/PackageWatchdog get's notified
about sys.init.updatable_crashing.
Also fixed a typo in what HandleUserspaceReboot function.
Test: adb reboot userspace
Bug: 135984674
Change-Id: I954ec49aae0734cda1bd833ad68f386ecd808f73
There are two namespaces from init - bootstrap and default - and those
will have different set of APEX modules. To support difference between
two namespaces, linker config should be generated per namespace and each
namespace should use its own linker configuration. As a first step of
the work, this change will create different mount point for each
namespace, and re-generate linker config after APEX mount from each
namespaces.
Bug: 144664390
Test: m -j passed & tested from cuttlefish
Change-Id: Iac2e222376ec4b0ced6c29eed18b21d39ff0b1ba
The first_stage_mount code for DSUs predates both the DSU name and the
ImageManager abstraction. Move this code to ImageManager, so it can be
shared with overlayfs/scratch handling. And while we're here, rename GSI
to DSU for clarity.
Bug: 134949511
Test: dsu works
Change-Id: I9ef374bccc6cdbe2ada88baef4e7c0bc81b1e85e
When bind-mounting flattened APEX, use the apex name found in
apex_manifest.pb as the mount point, instead of the directory name which
might be different from apex name in case when the apex is overridden.
This allowed us to remove the special casing for the ART apex since we
/system/apex/com.android.art.release will be mounted to
/apex/com.android.art instead of /apex/com.android.art.release.
Bug: N/A
Test: m
Test: OVERRIDE_TARGET_FLATTEN_APEX=true m, device is bootable
Change-Id: Ibdde7002b9078db390e6672b0eb82c474925451d
The previous code would lazily check for 'exact' and accept any other
value as a prefix match. This should be a tighter check allowing only
'exact', 'prefix', or an empty string for this option.
Test: build fails if an invalid string is used for the match operation
Test: build succeeds normally
Test: `getprop -Z` shows exact vs prefix is differentiated correctly
Change-Id: I21dcb193810d65f468f8960967eabfd261f71e21
As part of Watchdog-triggered rollback logging, it would
be useful to know the service which has caused
updatable_crashing to be set. Store this in a new property
sys.init.updatable_crashing_process_name.
Test: manual
Bug: 138782888
Change-Id: Iffa38b2b746abbb5d823a8d69b7b8d2456836f4e
We do not need to set up all directories from system.img for the first
stage ramdisk, only those which first stage init mounts on.
Test: n/a
Change-Id: I877c623bac0b6dd2927ebdefa20da929ff98b341
This creates the directory /data/misc/apexdata, at the same time as other
directories under /data/misc. Then, when apexd has finished activating
APEXes, a directory is created under /data/misc/apexdata for every
APEX, with the same name as the APEX module name.
See go/apex-data-directories.
APEXes are discovered by scanning the /apex directory. It may be better
to delegate this process to a library, but it is proposed to defer that
change to a future CL.
Bug: 141148175
Test: Built and flashed, checked directories were created.
Change-Id: I639d6f490ae0b97f116ce38ff3ac348bd73aa20e
Currently linker config locates under /dev, but this makes some problem
in case of using two system partitions with chroot. To match system
image and configuration, linker config better stays under /linkerconfig
Bug: 144966380
Test: m -j passed && tested from cuttelfish
Change-Id: Iaae5af65721eee8106311c1efb4760a9db13564a
Such services will be re-parsed and added back to the service list
during post-fs-data stage.
Test: adb reboot userspace
Test: atest CtsInitTestCases
Bug: 145669993
Bug: 135984674
Change-Id: Ibb393dfe0f101c4ebe37bc763733fd5d981d3691
Init is no longer a special case and talks to property service just
like every other client, therefore move it away from property_set()
and to android::base::SetProperty().
In doing so, this change moves the initial property set up from the
kernel command line and property files directly into PropertyInit().
This makes the responsibilities between init and property services
more clear.
Test: boot, unit test cases
Change-Id: I36b8c83e845d887f1b203355c2391ec123c3d05f
During userspace reboot FscryptInstallKeyring will be called again, this
CL will make it second call a no-op, which IMHO is better than having a
special logic in init to conditionally call FscryptInstallKeyring
depending on whenever it's normal boot, or userspace reboot.
Test: adb reboot userspace
Test: checked in kernel logs that new keyring is not created
Bug: 135984674
Change-Id: I4ad5aee6887b7318fb1cd02bf1c7be8da6ece599
There are a few directories for builtin APEXes: /system/apex,
/system_ext/apex, /product/apex, /vendor/apex.
For devices with ro.apex.updatable=false, init should bind-mount
"flattened" apexes from all of above.
Bug: 144732372
Test: OVERRIDE_TARGET_FLATTEN_APEX=true m && device boot
Change-Id: If151145e6e3d966b202300ff3a0ddb5ec9fdaa87
A recently added subcontext test was failing beause it was running as
non-root, but GTEST_SKIP() didn't work as I expected it to.
In retrospect, all of these tests except for the property one, can
easily run as root, so this changes allows all of these tests to run
as root, while fixing the original issue.
Bug: 144707143
Test: root and nonroot subcontext unit tests
Change-Id: Ia835597701698f6be2101f92d6f4c9450bd3c7dd
~2007 a change was added that would allow oneshot services to
daemonize by not killing their process group. This was a hack at the
time, and should certainly not be needed now. I've resisted removing
the behavior however, as it hadn't caused any issues.
Recently, it was detected that the cgroups that these processes belong
to, would exist forever and therefore leak memory. Instead of simply
removing the cgroups when empty, this provides a good opportunity to
do the right thing and fix this behavior once and for all.
The new (correct) behavior only happens for devices with vendor images
built for Android R or later. Init will log a warning to dmesg when
it detects this difference in behavior has occurred.
Bug: 144545923
Test: boot CF/Coral and see no difference in behavior.
Test: boot CF with a service that daemonizes and see the warning.
Change-Id: I333a2e25a541ec0114ac50ab8ae7f1ea3f055447
sys.init.userspace_reboot.in_progress will be used to notify all
the processes (including vendor ones) that userspace reboot is
happening, hence it should be treated as stable public api.
All other sys.init.userspace_reboot.* props will be internal to /system
partition and don't require any stability guarantees.
Test: builds
Test: adb reboot userspace
Bug: 135984674
Change-Id: Ifb64a6bfae2de76bac67edea68df44e33c9cfe2d
Watchdog is just a forked process that is going to fall back to the
full reboot in case device wasn't able to boot in given amount of time.
Currently this amount is hard-coded to 1 minute, but in the future it
will be controlled by a read-only property.
Also added sync calls before and after tearing down services.
Test: adb reboot userspace
Bug: 135984674
Change-Id: Ie6053c9446a6761deae6dc104036bb35b09ef0e2
Previously CheckPropertyTriggers() tried to do the entire property
triggers check with one loop. However, that would require calling
GetProperty() on all properties for all triggers just in case the
property that is being set is used by a given trigger.
This change first checks that the property being set exists in each
trigger and that its value is set such that the trigger would be
triggered, only then does it check that other property triggers are
set to the right value.
Bug: 143922756
Test: boot
Test: substantially fewer GetProperty() calls from
CheckPropertyTriggers()
Change-Id: I0228cf47328b31963eaf3fc689fb60f711532df4
There will be useful in debugging/logging events to statsd.
Also as part of this CL, sys.init.userspace_reboot.in_progress property
is now used as a mean of synchronization. It is set directly in
DoUserspaceReboot, to make sure that all the setprop actions triggered
by userspace-reboot-requested were processed.
Test: adb reboot userspace
Test: adb shell getprop sys.init.userspace_reboot.last_started
Test: adb shell getprop sys.init.userspace_reboot.last_finished
Bug: 135984674
Change-Id: I9debcd4f058e790855200d5295344dafb30e496a
Previously, we assumed that TriggerShutdown() should never be called
from vendor_init and used property service as a back up in case it
ever did. We have since then found out that vendor_init may indeed
call TriggerShutdown() and we want to make it just as strict as it is
in init, wherein it will immediately start the shutdown sequence
without executing any further commands.
Test: init unit tests, trigger shuttdown from init and vendor_init
Change-Id: I1f44dae801a28269eb8127879a8b7d6adff6f353
Use TEMP_FAILURE_RETRY() for recvmsg() to prevent failing
unnecessarily from EINTR. Use PLOG(ERROR) in ueventd to display the
actual error if reading from the uevent socket does fail.
Test: build
Change-Id: I64a22698ce6ffc7573f75b57803551c7b6940e30
We have all of the 'type' information for properties available during
build time, so let's check this when setting properties in init.
Test: setprop apexd.status bad results in:
host_init_verifier: Command 'setprop apexd.status bad'
(out/soong/.intermediates/system/core/rootdir/init.rc/android_x86_core/init.rc:927)
failed: Property type check failed, value doesn't match expected type
'enum starting ready'
host_init_verifier: Failed to parse init script
'out/soong/.intermediates/system/core/rootdir/init.rc/android_x86_core/init.rc'
with 1 errors
Test: CF builds without that error
Change-Id: Iaad07747c09f4a10b2b816c455d6e8a485357ab9
There is no reason for these scripts to continue to exist in /, when
they are better suited for /system/etc. There are problems keeping
them at / as well, particularly that they cannot be updated with
overlayfs.
Bug: 131087886
Bug: 140313207
Test: build/boot
Merged-In: I043d9a02ba588ca37ceba2c4e28ed631792b2586
Change-Id: I043d9a02ba588ca37ceba2c4e28ed631792b2586
* changes:
init: Add support for native service registration with lmkd
lmkd: Support process types when registering a process
lmkd: Add library function to unregister a process
lmkd: Prepare lmkd to support connection from init process
lmkd: Restrict process record modifications to the client that created it
From the implementation of FscryptInstallKeyring it looks like it will
install a new keyring on each call.
Another approach would be change FscryptInstallKeyring to first call
request_key[0] (http://man7.org/linux/man-pages/man2/request_key.2.html),
and don't add keyring in case request_key succeeded, but it looks like
that libkeyutils doesn't provide such functionality.
Since I was there, I've also added checks that we are not trying to
remount userdata on FDE devices.
Test: adb reboot userspace
Bug: 135984674
Change-Id: I2e063d7d87a3c2c26810e913a33e3a5c0364332b
Init unit tests refer to libraries that do not exist for the
secondary ABI, and we'd rather test the libraries on the device than
statically link them, so only test the primary ABI.
Init will only run on the primary ABI in any case, and doesn't have
much arch specific code in it.
Bug: 143560509
Test: build
Change-Id: I3c1883b3b55e5a06391d2885242f38c74eab621d
init should be able to register native services with lmkd so that they
can be killed when needed. Only processes with oom_score_adjust not
equal to the default -1000 will be registered with lmkd because with the
score that low the process is unkillable anyway.
Inform lmkd when a registered process is killed so that the record can be
removed.
Change init.rc to start lmkd during init phase so that it is there to
register other services.
Replace hardcoded oom_score_adj values with appropriate definitions.
Bug: 129011369
Test: boot and verify native service registration
Change-Id: Ie5ed62203395120d86dc1c8250fae01aa0b3c511
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
This will bring device to the state closer to the one during normal boot
Bug: 135984674
Test: adb install system/apex/shim/com.android.apex.cts.shim.v1.apex
Test: adb reboot userspace
Test: verified install succeeded
Change-Id: I6ef73bde2ca817c8a62bf19b8f1895dd0d6d2829
We are going to teamfood userspace reboot soon, and in order to gather
as much data as possible we are fine with ignoring checkpointing for the
devices with ext4 (teamfood will be a very limited set of people that
are aware what they've signed for).
As result of this, we don't need to reset vold and kill zram backing
device. Added a TODO to restore that functionality if needed.
Since I was there, fixed yet another typo in userspace-reboot-resume -_-
Bug: 135984674
Test: adb reboot userspace
Change-Id: I2b7a93aaf738fe9bec9d606d7e11aefb325550b1
FscryptSetDirectoryPolicy no longer tries to infer the action from the
filename. Well mostly; it still assumes top-level directories in /data
should be encrypted unless the mkdir arguments say otherwise, but
it warns.
Bug: 26641735
Test: boot, check log messages
Change-Id: Id6d2cea7fb856f17323897d85cf6190c981b443c
Legacy symlink from /charger to /system/bin/charger is
removed. Instead, all Android R devices are required
to use /system/bin/charger instead.
See hardware/interfaces/health/2.1/README.md for details.
Bug: 142286265
Test: charger mode
Change-Id: Ib478a864ef68647bc9fc14650ca3d382952b80c8
Allow for module load errors if first stage console is enabled, userdebug
development builds, load what you can and continue.
Test: compile
Bug: 141311820
Change-Id: I30f3ee1129373f6ffedcf03807c212c60d4c39aa
Also put libfscrypt into fs_mgr via whole_static_libs
since it's now a dependency.
Bug: 143307095
Test: we can use the inline policy on it
Change-Id: I82d7d5330abef76ce82accea25d2663748e87a8b
This is a behavior change and may have unintended consequences,
especially in Java, where failed property sets create exceptions.
Therefore, we only provide this new behavior to devices launching > Q.
Bug: 137070994
Test: build
Change-Id: If0b44aedc5c887ea6ea16dd3ec551ac2bf793cef
This patch translates UpdateState states into a MergeStatus from
IBootControl 1.1, and asks the HAL to store it. Unfortunately this patch
has to work around a few issues.
The first issue is that Soong doesn't allow including only the headers
from a HAL. The second issue is that entraining the headers requires
linking to libraries that would otherwise not be needed in init.
To address this, we now have three ways of linking to libsnapshot:
1. libsnapshot - Has access to gsid and HALs.
2. libsnapshot_nobinder - Has access to HALs, but not binder (for
recovery).
3. libsnapshot_init - Does not use binder or HALs.
The HAL code is #ifdef'd behind LIBSNAPSHOT_USE_HAL and we make use of
forward declarations and dependency injection to minimize its spread.
Bug: 139154945
Test: libsnapshot_test gtest
Change-Id: I21ffd8a79a43d0589f2f71f346ac1b019584a183
Since it's available in C++, it's easier to build host_init_verifier
with this than create a new way to export the json file.
Bug: 141567104
Test: manually change hidl interface in a manifest
host_init_verifier: system/core/rootdir/init.rc: 69:
host_init_verifier: Interface is not in the known set of hidl_interfaces: 'android.hardwar.edne@1.0::IFoo'. Please ensure the interface is spelled correctly and built by a hidl_interface target.
Change-Id: Ic73dcb51855cb751734bc497d8e69f379966c511
Especially now that property_service is a thread, there may be some
delay between when init sets sys.powerctl and when the main thread of
init receives this and triggers shutdown. It's possible that
outstanding init commands are run during this gap and that is not
desirable.
Instead, have builtins call TriggerShutdown() directly, so we can be
sure that the next action that init runs will be to shutdown the
device.
Test: reboot works
Test: reboot into recovery due to bad /data works
Change-Id: I26fb9f4f57f46c7451b8b58187138cfedd6fd9eb
This should help in preventing silly typos like "on foo:"
Test: atest CtsInitTestCases
Test: builds
Bug: 135984674
Change-Id: I6e4e18970e957d25dea9f557f0d31a759fbe6150
* Refactored code around stopping services a little bit to reuse it
between full reboot and userspace reboot.
* Add a scope_guard to fallback to full reboot in case userspace reboot
fails.
* In case of userspace reboot init will also wait for services to be
terminated/killed and log the ones that didn't react to
SIGTERM/SIGKILL in time.
* If some of the services didn't react to SIGKILL, fail userspace reboot.
Test: adb reboot userspace
Bug: 135984674
Change-Id: I820c7bc406169333b0f929f0eea028d8384eb2ac
This CL only draws boundaries between userspace and full reboots, and
adds some functionality that will be required for userspace reboot:
* Whenever device is shutting down is now controlled in reboot.cpp,
since during userspace reboot this state can change.
* Now it's also possible to restart handling of control messages inside
property service. In case of userspace reboot, init will restart it
after stopping post-data services.
* New userspace-reboot-requested trigger is added similar to shutdown
one for full reboot.
Test: adb reboot
Test: adb reboot userspace
Bug: 135984674
Change-Id: Id55a53ba781d2b90ce40449037b6d8d47e72c476
It wasn't clear to me why init was rebooting until I saw that it was
SIGABRT, which then made me read through earlier log spam to work out
what was actually unhappy (the SELinux compiler, in my case).
Test: worked out why init was rebooting my device
Change-Id: I605d8956213c4c23711073fd4b0ff99562b7f351
When I previously tried this in https://r.android.com/1108553 , it broke on
some targets but I think that may have been fixed. I'm trying it again now
to see if this now passes treehugger and sticks.
Note: There is still an indirect dependency via libfs_mgr.
Bug: 137267623
Test: Treehugger
Change-Id: I2d8b909e451bb64a1eb0719a145dfd74da1dcbad
This property will need to be reset during userspace reboot, so it can't
be a read-only property anymore.
Test: builds
Bug: 135984674
Change-Id: I4e079b537cb5c725ac0b652804fdc801a6facfcf
Also, add a "name" field to SnapshotStatus, and delete
the "name" arg from CreateSnapshot / WriteSnapshotStatus.
ReadSnapshotStatus will warn if the name mismatches from
the file name, and auto-correct it.
Test: libsnapshot_test
Change-Id: I725cf39c07684b100b140a8a21ea9d23ab9d2241
Commit I27dd391fc06a3c78e88a65c7931c84de1699f157 makes property_service
no longer load selinux property_contexts by function
selinux_android_prop_context_handle.
So we should load property_contexts from /system_ext as well in
property_service.cpp.
Bug: 137712473
Bug: 141871131
Test: `adb shell getprop -Z` to check system_ext_property_contexts is loaded
Change-Id: I49c5c725784c0d598062ae356be6226446f4942a
Support setting v2 encryption policies on init-created directories. The
policy version to set is gotten from a new field in
/data/unencrypted/mode, which is the file that's used to pass the
encryption options from vold to init.
Also don't bother falling back to defaults if fields are missing from
this file, since it's re-written on every boot by vold.
Bug: 140500999
Test: tested as series; see If64028d8580584b2c33c614cabd5d6b93657f608
Change-Id: Ia9c5d4b80199686799e3ac80de78a50ed3bdabf4
We want ashmem to only be used via libcutils API, with long-term goal
being deprecation of ashmem with memfd. To do that we route libcutils to
a new source of ashmem fds. We then phase out uses of /dev/ashmem that
doesn't go through libcutils using SELinux.
In Q, we introduced ashmemd as the source of ashmem fds to libcutils.
However, having a separate process and, consequently, binder hops to
handle /dev/ashmem results in performance/memory overhead.
To address the overhead, replace ashmemd with a duplicate of
/dev/ashmem. Name it /dev/ashmem<boot_id>, where boot_id is a random
number generated on each boot. This way we make sure that developers
don't accidentally depend on /dev/ashmem<boot_id>, as that name can't be
hardcoded.
Bug: 139855428
Test: writing "add"/"remove" to /sys/class/misc/ashmem/uevent correctly
adds/removes /dev/ashmem and /dev/ashmem/boot_id
Change-Id: I36d23116048bfcd99903ba46cc133161835a2cfa
Some services are not native android services and therefore don't log
via the normal mechanisms. This gives developers an option to have
their stdout/stderr logs sent directly to kmsg.
Test: see test prints to kernel log
Change-Id: I7973ea74d5cab3a90c2cd9a3d5de2266439d0c01
There are no uevent fils in these dirs, so there's no need to
traverse these dirs.
Test: manual
Change-Id: I57b82846ad863952d8717e6c3ab80c1e243ee4f8
Signed-off-by: lijiazi <lijiazi@xiaomi.com>
Currently system sepolicy can be extended via:
- BOARD_PLAT_PUBLIC_SEPOLICY_DIR
- BOARD_PLAT_PRIVATE_SEPOLICY_DIR
To support having a single shared core system sepolicy, those
customization should be moved to the newly added system_ext partition.
System-ext-specific sepolicy files will be installed into
/system_ext/etc/selinux/*. system_ext_sepolicy.cil is merged into
precompiled_sepolicy at build-time. In case precompiled_sepolicy can't
be used (e.g. system-only-ota), the init will merge this file with
the rest of the sepolicy at runtime.
Bug: 137712473
Test: boot aosp_crosshatch with system_ext_sepolicy.cil
Test: boot aosp_crosshatch without system_ext_sepolicy.cil
Change-Id: Ib37622271b559d65462de99ff424be831004508a
There might be partitions like product or system_ext in addition
to the system partition. Those partitions can contain dependencies
required by the system so we need to make the init to recognize
these partitions and mount them accordingly.
Bug: 140092208
Test: gsi_tool install & reboot
Change-Id: Ie5ef063292c3656e79cce9f887f23a8faa1ba2be
There is a race condition with Service::Start and socket creation.
Since socket creation currently happens after the fork(), it's
possible that init can continue executing other commands before the
socket is created. If init starts another service that relies on that
socket, it isn't guaranteed to be available.
Particularly, we've seen this with hwservicemanager starting after
logd, but hwservicemanager's logs sometimes not showing up.
Bug: 140810300
Test: boot and logging functions correctly
Change-Id: Ib2932e836d345830cd38f3b556598508fd953058
All of the logic in reboot.cpp is meant to safely shutdown services,
safely unmount emulated RW file systems, then finally unmount the
remaining RW file systems, particularly /data. If /data hasn't been
mounted, then none of this logic is required.
Running this logic caused a lock up when shutting down blueline from
early-init. Vold, or potentially a related HAL, locked up during the
ShutdownVold() calls. debuggerd separately locked up in the watchdog
thread.
Therefore, this change immediately reboots if /data is not mounted.
It also removes the lines to call into debuggerd. debuggerd will not
run due to SELinux in any case, so it can only be used when hands-on
debugging a device.
Bug: 141082587
Test: shutdown with /data mounted continues as normal
Test: shutdown from early-init immediately shuts the device down
Change-Id: I79c72346b17c7dfe57e955d9739bcaf559badc14
This code is more generic than it needs to be and one of the side
effects is that an extra init process is forked for odm_init, despite
it having the same context as vendor_init. I don't think anything is
going to change regarding that soon, so this change stops forking that
extra process to save its memory and simplifies the code overall.
Bug: 141164879
Test: init still uses vendor_init for vendor_scripts
Test: init unit tests
Test: init only has one subcontext process
Change-Id: I0d224455604a681711e32f89fb20132378f69060
Replace libcrypto with libcrypto_static, which can be protected through
visibility to ensure only modules that don't affect FIPS certification
can use it.
Bug: 141248879
Test: m checkbuild
Change-Id: I5f0b9acfb57f68570f6f58f2395f2bb1bc015365
When userdata is used to store COW devices, we need to ensure we've
generated uevents for it.
This patch also refactors FirstStageMount to pass required devices
through arguments rather than a member variable.
Bug: 140761481
Test: manual test
Change-Id: Ie5e1c9699f084da5467a758eea41c7907fecc5ca
Bug: 140882488
Test: Booted twice, checked logs to ensure encryption
is different each time, adb created files in directory.
Change-Id: I44f746acd1040f7baa9123d4824ba39b194f287b
This replaces the recently added `exec_reboot_on_failure` builtin, since
it'll be cleaner to extend service definitions than extending `exec`.
This is in line with what we decided when adding `exec_start` instead
of extending `exec` to add parameters for priority.
Test: `exec_start` a service with a reboot_on_failure option and watch
the system reboot appropriately when the service is not found and when
the service terminates with a non-zero exit code.
Change-Id: I332bf9839fa94840d159a810c4a6ba2522189d0b
init_first_stage is built in Make and statically links libcrypto,
so it needs to set LOCAL_INJECT_BSSL_HASH to make the FIPS self
test pass.
Bug: 137267623
Test: m checkbuild
Change-Id: Icd8ec07b731228a162db9a13d7304bf1d73127aa
Userspace may want to load a different firmware than the one that the
kernel requests in some cases, therefore this change adds the ability
to ueventd to run an external handler that will determine the name of
the file that should actually be loaded.
Bug: 138352500
Test: unit tests
Change-Id: Ic5da37268fd78109f83ae52d1b903bf7322a5ee5
5aa6197d5f added the ability to
parallelize restorecon to speed up boot for devices that have not
completely moved to genfscon. This parallel restorecon happens after
the parallel ueventd handling.
This causes a performance regression for devices that have moved to
genfscon, since previously, the restorecon() was done in the main
ueventd thread in parallel with the uevent handlers.
I also tried to run the fully parallelized restorecon in parallel with
the uevent handlers, but that did not make any change to the cold boot
time, likely due to the additional overhead of parallelizing the work.
Bug: 140458170
Test: blueline coldboot time returns to pre-regression time.
Change-Id: I3cd6a869cc9b62792466813d94ad6c69834e854e
It's been a long standing issue that init cannot respond to property
set messages when it is running a builtin command. This is
particularly problematic when the commands involve IPC to vold or
other daemons, as it prevents them from being able to set properties.
This change has init run property service in a thread, which
eliminates the above issue.
This change may also serve as a starting block to running property
service in an entirely different process to better isolate init from
handling property requests.
Reland: during reboot, init stops processing property_changed messages
from property service, since it will not act on these anyway. This
had an unexpected effect of causing future property_set calls to block
indefinitely, since the buffer between init and property_service was
filling up and the send() call from property_service would then
block. This change has init tell property_service to stop sending it
property_changed messages once reboot begins.
Test: CF boots, walleye boots, properties are set appropriately
Change-Id: I26902708e8be788caa6dbcf4b6d2968d90962785
On every boot, there is a "duplicate" message logged at INFO level for
every system device-encrypted directory, e.g.:
1 1 I init : Setting policy on /data/app-private
1 1 I init : Encryption policy of /data/app-private set to 3a19970b1aa3abed modes 127/4
Or:
1 1 I init : Setting policy on /data/app-private
1 1 I init : Verified that /data/app-private has the encryption policy 3a19970b1aa3abed modes 127/4
(Before I51ee70706bc9ccb216ccefd7bdfbbfc57faae14d the second messages
were slightly different, but were similar and still at INFO level.)
The issue is that set_system_de_policy_on() prints its own log message,
then calls fscrypt_policy_ensure() which prints a message too; and the
second message is essentially a superset of the first.
Clean this up by removing the message from set_system_de_policy_on().
Test: Booted and checked the log.
Change-Id: I2786ba7e2dbb355f159ac9d8fe5ad1f0a4cdbfea
Added in af1a9bfb8f, but it's never been
used in practice because of the performance impact, and it's incompatible
with our ability to add new system calls via a bionic module update
because it defaults to disabling all unknown syscalls, and init will
still be using the non-updated bootstrap libc from when it first shipped.
Test: treehugger
Change-Id: I8e396675fcfaf0218a92f464d15e613f43319305
Instead of init.cpp knowning about the boringssl self
test, use init.rc to exec dedicated self test executables.
Advantages:
- The self test is run not only both the copy of libcrypto
in /system but also /apex/com.android.conscrypt.
- The self test is run not only for the primary (e.g. 64bit)
ABI but also for a secondarry (e.g. 32bit) ABI.
- The dependency on libcrypto is kept to the self test binary.
- The self test binary abstracts the exact native API for
running the self test (this will change soon because the
self test will be run when the library is loaded).
Bug: 137267623
Test: Check that logcat shows both binaries being started as root,
and finishing with exit code 0.
Change-Id: I1e716749ee2133993f0f7b2836483391fd1a62f0
Add exec_reboot_on_failure builtin and refactor the VDC commands that
had similar functionality. These will now also reboot in the case
that the program cannot be found or run for any reason.
Test: boots normally, reboots if command is not found or if command
returns status '1'
Change-Id: I1c99498c2b741512a50188e1a325c25e9ec8fba0
* changes:
Include com.android.runtime in the "runtime" linker namespace.
Update logic for detecting pre-apexd services to check that the ART APEX is mounted.
Update paths and names for the new ART APEX.
There is a race that manifests like this:
1) A service dies (not processed by init yet).
2) service_manager processes death notification.
3) service_manager gets checkService and calls init to start service.
4) init gets the ctl.start / ctl.interface_start for the service
but the service already appears started, so it does nothing.
5) init gets sigchld, but doesn't do anything else to restart the
service
We can avoid all of this if we already reap pending processes before
handling properties in the main loop of init. Since reaping the
services calls waitid(), there's no race even if the signalfd for
sigchld hasn't triggered yet. It also won't cost us much efficiency,
since it's only a single system call.
Test: CF boots, init unit tests pass
Change-Id: Ie24ef406055b283797b41b1821c8ebcccead4db4
mounted.
Necessary to make e.g. bootanimation work, which depends on (at least)
libandroidicu.so in the ART APEX.
Test: Build & boot
Bug: 135753770
Exempt-From-Owner-Approval: Approved internally
Change-Id: Ibab4f5f7a243d0815b9c70a537bae8d77dee2fbb
Merged-In: Ibab4f5f7a243d0815b9c70a537bae8d77dee2fbb
As part of debugging long run issue we are enabling
module info as part of debug build under the config key
DEBUG_MODULE_LOAD_INFO , But doing so can lead to info leak
as modules/dlkm are loaded in early-init and setting the
kptr_restriction is done after early-init.
So moving setting of kptr_restrict much before early-init.
Bug: 138641073
Change-Id: Ic3c0ca57a94c8b20136a15331dd646bd8825b625
generate subdir for /sys and /sys/devices, handle restorecon in parallel.
This reduces coldboot time on our target about 300ms.
Change-Id: I9c3d0e97aacff0ca127880d936dfd5fcc2aee125
It's been a long standing issue that init cannot respond to property
set messages when it is running a builtin command. This is
particularly problematic when the commands involve IPC to vold or
other daemons, as it prevents them from being able to set properties.
This change has init run property service in a thread, which
eliminates the above issue.
This change may also serve as a starting block to running property
service in an entirely different process to better isolate init from
handling property requests.
Test: CF boots, walleye boots, properties are set appropriately
Change-Id: I13b8bf240c9fcb1d2d5890a8be2f0ef74efd4adf
Use lstat(), and then make only the system calls needed to fix the
directory up.
Bug: 140027478
Test: boots twice, no worrying log messages.
Change-Id: I1c1445baae3ec1c1ce17626ede388aa04d5f7781
Note that /metadata must now be mounted before CreateLogicalPartitions()
is called. This is because SnapshotManager overrides the default
partitioning scheme, and the only way to tell if a SnapshotManager is
needed is via the metadata partition.
Bug: 139204329
Test: manual test
Change-Id: I812df6c4c0d4d8753b1516f63dc70c5bc3e1c09c
Before ImageManager was introduced, gsid avoided using PartitionOpener
when writing to external media. PartitionOpener couldn't interact with
non-boot devices, because it prepends /dev/block/by-name. We hacked
around this in both gsid and in first-stage init, which manually detects
the problem and prepends /dev/block instead.
After the ImageManager refactoring, sdcard support broke in gsid,
because it started relying on PartitionOpener. Let's fix this by allowing
/dev/block for mmcblk* names in PartitionOpener.
Bug: 139204329
Test: fiemap_image_test gtest
Change-Id: Ic1cbdbe0a18fc09522ee38cc62b35fd8193ce250
It's been a long standing issue that init cannot respond to property
set messages when it is running a builtin command. This is
particularly problematic when the commands involve IPC to vold or
other daemons, as it prevents them from being able to set properties.
This change has init run property service in a thread, which
eliminates the above issue.
This change may also serve as a starting block to running property
service in an entirely different process to better isolate init from
handling property requests.
Test: CF boots, walleye boots, properties are set appropriately
Change-Id: Id9534a5916abb2f7d2a49cda54e33c1b69c50c2f
host_init_verifier statically links libprocessgroup, which has shared
dependency on libjsoncpp. Right now it also has shared dependency on
libjsoncpp, resulting in ODR violation:
ERROR: AddressSanitizer: odr-violation (0x7fce895f3220):
[1] size=8 'Json::kNullRef' external/jsoncpp/src/lib_json/json_value.cpp:37:22
[2] size=8 'Json::kNullRef' external/jsoncpp/src/lib_json/json_value.cpp:37:22
These globals were registered at these points:
[1]:
#0 0x56276926ef0d (/usr/local/google/buildbot/src/android/master/out/host/linux-x86/bin/host_init_verifier+0xd1f0d)
#1 0x7fce894ac1d9 (/lib64/ld-linux-x86-64.so.2+0x101d9)
[2]:
#0 0x56276926ef0d (/usr/local/google/buildbot/src/android/master/out/host/linux-x86/bin/host_init_verifier+0xd1f0d)
#1 0x7fce894ac1d9 (/lib64/ld-linux-x86-64.so.2+0x101d9)
Move host_init_verifier to libjsoncpp_headers to fix the ODR violation.
Bug: 139546461
Bug: 131328001
Test: Run ASAN host_init_verifier
Change-Id: I54a51138d61fff37f092ffaa0758817600a0af9d
When we have a property match along with an event trigger, we
currently don't allow matching empty property values, in other words,
properties that are unset. For example, the below trigger would never
be run:
on zygote-start && property:persist.sys.fuse=""
That doesn't make sense though, it should be possible to match an
empty property value, so this change allows that trigger to match when
persist.sys.fuse is either empty or not set.
This continues to not match a '*' to an empty property, so
on zygote-start && property:persist.sys.fuse=*
will not run if persist.sys.fuse is empty or unset.
Test: the above triggers run appropriately
Change-Id: Ia57de7b96ad352590d0c82ff4ae95060b7361976
Includes refactoring out interface inheritance hierarchy logic to a new
interface_utils file.
Bug: 137397100
Test: 'm' with an init_rc that misspells an interface in an
interface_start, interface_restart, or interface_stop line.
Change-Id: I9f650289d64ae2b13435a81e1693c7ab5e6e9ecf
* changes:
Adds new property for service name -> PID.
Adds a library to parse service info from init_rc files for use in tests.
Adds a visibility rule for init defaults.
Host init verifier already checks that the names and number of
arguments for builtins are correct, but it can check more. This
change ensures that property expansions are well formed, and that
arguments that can be parsed on the host are correct. For example it
checks that UIDs and GIDs exist, that numerical values can be parsed,
and that rlimit strings are correct.
Test: build
Change-Id: Ied8882498a88a9f8324db6b8d1020aeeccc8177b
It's better to pass the error message to the caller to determine how
best to print the error.
Test: build
Change-Id: Id8857c459df2f26c031650166609608d20e4d051
Previously we were ignoring ENOENT from all builtins as
rootdir/init.rc has many legacy commands that we need to keep for
backwards compatibility, but are otherwise no longer relevant.
However, this wasn't catching actual issues, for example chown failing
due to not finding the user or group name. This change therefore
reduces the scope of ignoring ENOENT to the only the extraneous errors
in builtins.
Test: boot CF and walleye without seeing errors from init.rc
Test: see errors from invalid users/groups in chown
Change-Id: Ia8e14fa2591e083cb1736c313a3e55515bc5d15e
It is exceedingly difficult to debug I/O and filesystem corruption
issues during first and selinux initialization stage init. By
redirecting stderr, and for good measure stdout, to /dev/kmsg in
first stage init before it exec's "/system/bin/init" we can see
the filesystem corruption errors more clearly.
Before this we would see:
init: Skipped setting INIT_AVB_VERSION (not in recovery mode)
Kernel panic - not syncing: Attempted to kill init! exitcode=0x...
and then wonder why?
After this change we can see:
init: Skipped setting INIT_AVB_VERSION (not in recovery mode)
libc: Fatal signal 5 (SIGTRAP), code 128 (SI_KERNEL), fault addr...
Kernel panic - not syncing: Attempted to kill init! exitcode=0x...
-or-
init: Skipped setting INIT_AVB_VERSION (not in recovery mode)
linker: CANNOT LINK EXECUTABLE "/system/bin/init": cannot locate symbol...
Kernel panic - not syncing: Attempted to kill init! exitcode=0x...
(NB: with stutter removed because of stdout and stderr)
Silence from these sources otherwise on successful execution.
Test: boot
Bug: 138459777
Change-Id: I4200b24baeaa6e408a5e0a2c890561bda1e2f1f4
I've heard that keyword_map is too complex, in particular the tuple
and the pair in BuiltinFunctionMap, so this change removes a lot of
that complexity and, more importantly, better documents how all of
this works.
Test: boot, init unit tests
Change-Id: I74e5f9de7f2ec524cb6127bb9da2956b5f307f56
This reverts commit 4d35f2e59c.
Reason for revert: b/137523800 This breaks factory reset on all devices (and potentially rescue party and non-ab updates). Because the init code unconditionally clear the arguments like "--wipe_data" written by framework; as a result, device boots into recovery without doing wipe.
I guess one fix is to check the content of BCB, and skip the overwrite if it already boots into recovery. Revert the cl first to unblock p1, will submit the fix separately.
Change-Id: Iccaf3dce6999005c2199490a138844d5a5d99e7f
For devices that use FDE and don't support updatable APEXes, don't
stop and restart all processes - there is no need and it only increases
boot time for these devices.
Additionally, some daemons have never been restarted in the past, and
restarting them exposes certain issues.
Bug: 137251597
Bug: 136777273
Bug: 135627804
Test: verified manually w/ ro.updatable.apex=false
Change-Id: I9590f2c2cdfab0a49f39846896460305d44221ee
This makes `pathmod init` and `gomod init` work, and it also reserves
the 'init' for potential future usage.
Change-Id: I6990bf421211b93d58d978d84d46474ff243e808
Bugs: me
Test: pathmod init; gomod init
clang-tidy hinted that some of this code wasn't right. Looking
deeper, there is really not much related to file and socket
descriptors, except that they're published in similar ways to the
environment. All of the abstraction into a 'Descriptor' class takes
us further away from specifying what we really mean.
This removes that abstraction, adds stricter checks and better errors
for parsing init scripts, reports sockets and files that are unable to
be acquired before exec, and updates the README.md for the passcred
option.
Test: build, logd (uses files and sockets) works
Change-Id: I59e611e95c85bdbefa779ef69b32b9dd4ee203e2
This fixes a race condition where WaitForFile() after
GetDmDevicePathByName appears to succeed, but a subsequent operation on
the path fails. This can happen when CreateDevice() is called
immediately after a call to DeleteDevice (from any process), and the
path is re-used, enqueuing udev events to remove and re-add the block
device.
The fix for this is to introduce a new variant of CreateDevice() that
has a timeout parameter. When the timeout is positive, CreateDevice()
will wait for a /dev/block/mapper/by-uuid symlink to be created, which
signals that ueventd has finished processing the operation.
ueventd will now create these by-uuid symlinks for device-mapper nodes.
Unfortunately, the uuid is only available during "change" events, so we
have to special case device-mapper symlink creation. And since the uuid
is not available during "remove" events, we simply find matching links
to remove them.
This ensures that callers of CreateDevice() can use the device path
knowing that no asynchronous removals are pending. Code that uses the
old CreateDevice+WaitForFile pattern will be transitioned to the new
method.
Note that it is safe to ignore the timeout, or to use the "unsafe"
CreateDevice, if the caller ensures the path by other means. For example
first-stage init has no device removal, and regenerates uevents until
it has acquired all the paths it needs.
Finally, since libdm now inspects sysfs unconditionally, libdm consumers
need r_dir_file perms for sysfs_dm in their sepolicy. Additionally
linking to libdm now requires linking to libext2_uuid.
Bug: 135771280
Test: libdm_test
device flashes, boots
Change-Id: If5a7383ea38f32a7fbbcf24842dce6a668050a70
Bug: 118016875
Test: Added 'interface' lines to an init_rc file and observed errors
when misspelled or missing entire inheritance hierarchy.
Change-Id: I681420f15539742d8415808b2a0dcbf0bf6faaf1
Without this change "adb reboot recovery" leads to normal boot.
Change-Id: I361d0a1f6f6f2c57f3dc80102c21970b462c9b9c
Signed-off-by: Sam Protsenko <semen.protsenko@linaro.org>
- unused
- using binder requires twoway calls (since getting a service from
servicemanager requires two calls)
Bug: 135768100
Test: N/A
Change-Id: Idc41f487bad2d8343e99ded98812f3a84e2b8e37
android-base:
* Add NOLINT for expanding namespace std for std::string* ostream
overload
libdm:
* Fix missing parentesis around macro parameters
init:
* Fix missing CLOEXEC usage and add NOLINT for the intended
usages.
* Fix missing parentesis around macro parameters
* Fix erase() / remove_if() idiom
* Correctly specific unsigned char when intended
* 'namespace flags' should be signed, since 'flags' it signed for
clone()
* Add clear to property restore vector<string> to empty after move
* Explicit comparison against 0 for strcmp
Test: build
Change-Id: I8c31dafda2c43ebc5aa50124cbbd6e23ed2c4101
Start and wait on a console if androidboot.first_stage_console=1 is
present on the kernel command line. This only works on eng and
userdebug builds.
Change-Id: I978e9390a89509431b399ea58b284736b27eeb1b
Test: Adding a misspelling to an init_rc's interface line and observing
build failure.
Bug: 77646540
Change-Id: I58f66d73f0bd9b4203e8259161843b56ad428d73
In retrospect, these always should have been header only. We don't
need setgroups() anymore either, since we have the right symbols now.
Test: build
Change-Id: If6fbf6f8ee288ed261576207d90a7ec5674853f9
By moving it into builtins.cpp..., but that's less bad than it is
now, especially since this is defunct in code targeting Q+. Remove
the guards that init.h isn't being included by other files too as it's
not useful anymore.
Test: build
Change-Id: Ic564fcff9e8716ec924098b07a8c9d94ca25f960
There's no fundamental reason to store this aside. That property can
only be written by init, so it's not likely that we're going to
corrupt it.
Test: boot and use serial console
Change-Id: I9248fbaf959ea913d09add829d4cb509af99d570
It's been a long standing problem that init calls fs_mgr functions
synchronously and therefore stops handling properties, which causes
deadlocks if either fs_mgr, or vdc, or vold attempt to set
properties.
Previous work, b/21904461, shows that there is a large performance
penalty for adding any amount of locking to properties, so moving
property service into its own thread generically is not a viable
option. However, we can be sure that init is not setting properties
while the fs_mgr functions are running, so we can poll the property
socket in a thread while we call these functions.
The other alternative would have been to separate the fs_mgr functions
into smaller pieces and revisit the main init loop between each
piece. Unfortunately, this would be difficult, since
fs_mgr_mount_all() calls out to different processes via logwrapper,
which synchronously polls on a logging FD from the child, among other
complexities that would make this strategy much more difficult than it
would be worth.
Bug: 21904461
Test: device boots, including when setting property in
fs_mgr_mount_all()
Change-Id: Ib0b7123024035884f9d90f9b489c1e2f5a2e1707
Modprobe functionality is required both within first stage init and also
as a standalone binary. Create a library for this using and extending
the logic in modalias_handler.cpp.
First stage init will attempt to load modules from /lib/modules.
Bug: 129780532
Change-Id: Ie3582358fd839c2f64e1b386b30ed551a86aef5d
Init had some pretty horrid Error() << StringPrintf(...) calls that
are all much better replaced by Errorf(...) now.
Test: build, check that keyword_map errors look correct
Change-Id: I572588c7541b928c72ae1bf140b814acdef1cd60
This change is to support importing property file with its path
variations.
By substitute its filename with another, it can be used to handle
runtime varying filename within single binary.
Here's an example of usage in property defined file.
import /odm/build_${ro.boot.product.hardware.sku}.prop
Bug: 132592551
Test: boot a device and checks above example import statement in
"/odm/build.prop" loading expanded filename correctly
Change-Id: If3fdcf620a5d717e0930b1e4e58261bc8f79ec24
Ueventd can't set properties currently, but this is an artificial
limitation, since ueventd communicates to init that it has finished
cold boot via a file, and init polls this file instead of returning to
the epoll loop, where properties are handled.
This change replaces that file with a property and thus frees ueventd
to be able to set properties.
Bug: 62301678
Test: boot, check that properties are set
Change-Id: I985688e9299456efcb2dfeef9b92668991aa9c05
